Maddy Mail Server
Communication & EmailA composable, all‑in‑one mail server that combines MTA, MX and IMAP functionality with built‑in security protocols (DKIM, SPF, DMARC, DANE, MTA‑STS) to replace Postfix, Dovecot, OpenDKIM, etc.
Features
- Acts as both an outbound SMTP MTA and inbound MX mail exchanger
- Provides IMAP access for stored messages (beta)
- Bundles security protocols: DKIM, SPF, DMARC, DANE, MTA‑STS
- Uniform configuration and minimal maintenance compared to separate components
Recent releases
View all 7 releases →
v0.9.4
Breaking risk
Breaking changes
- Removed special handling for maddyctl symlink; maddy executable no longer changes behavior when called as maddyctl.
- Removed defaulting to 'maddy run' when no command is explicitly specified.
Full changelog
IMPORTANT
Special handling for maddyctl symlink is removed. maddy executable
will no longer change behavior if called as maddyctl.
Default to 'maddy run' if no command is explicitly specified
has been removed as well. The warning about its deprecation was here
since 0.6 (4 years ago).
The reason for removal is inconsistency in --log flag handling
caused by related hacks in CLI setup code.
Minor additions
- smtp: add LOGIN SASL auth directive (thanks Sean van Osnabrugge!)
Bug fixes
-
log: Refactor to define proper loggers tree
This in turn should fix numerous inconsistencies in how
logger is configured. -
Fixed limiters group configuration (thanks Denis Girko!)
Per-destination limits are now initialized correctly and work.
-
storage/imapsql: Upgrade go-imap-sql to fix SQLITE_BUSY issues
This will fix a lot of "database is locked" errors for imapsql use
with SQLite. -
storage/imapsql: Fix handling of serialization errors
If "database is locked" still happens, clients will receive proper
temporary error codes instead of 5xx
v0.9.3
Security relevant
patches GHSA-5835-4gvc-32pc
Security fixes
- CVE-2026-40193 (GHSA-5835-4gvc-32pc) — LDAP injection vulnerability allowing extraction of password hashes and authorization information
Full changelog
This release includes the fix for the LDAP injection vulnerability
in auth.ldap module (advisory GHSA-5835-4gvc-32pc, CVE-2026-40193).
All users using auth.ldap are advised to upgrade, as this vulnerability
can be used to extract LDAP directory information, including password
hashes and other authorization information.
Thanks @ RealHurrison and @Ghost1032 for detailed report!
Fixes
- auth/ldap: Fix GHSA-5835-4gvc-32pc
- module: Break dependency cycles when loading config correctly (Thanks @balejk)
v0.9.2
Bug fix
Fixed panic in rspamd when TLS client settings are unspecified.
Full changelog
Fixes
- rspamd: fix panic on unspecified tls_client by @oidq in https://github.com/foxcpp/maddy/pull/830
Full Changelog: https://github.com/foxcpp/maddy/compare/v0.9.1...v0.9.2
v0.9.1
Breaking risk
Breaking changes
- rspamd integration is broken in v0.9.1; requires upgrading to v0.9.2 or later
Full changelog
⚠️ rspamd integration is broken in 0.9.1, use 0.9.2.
Important changes
- libdns: Deprecate libdns providers not updated for libdns 1.x
0.9.1 is (probably) the last release to support the following libdns
providers for ACME DNS challenge:
- vultr
- namedotcom
- leaseweb
0.9.1 is also the last release to supprt libdns.gandi with API
tokens, 0.10.0 will require using new Bearer-type tokens
for authentication.
See https://github.com/foxcpp/maddy/issues/807 for details.
Fixes
- openmetrics: Fix initialization code (thanks @cxvqo!)
- auth/ldap, check/rspamd: Fix tls_client directive definition.
- endpoint/imap: Unbreak proxy_protocol
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Community & Support
Alternative to
Postfix
Dovecot
OpenDKIM
OpenSPF
OpenDMARC